Privacy & Information Security Law Blog

Episode 2: Response

In the second segment of our 3-part series with Lawline, Lisa J. Sotto, head of our Global Privacy and Cybersecurity practice at Hunton & Williams LLP, discusses data breach notification obligations and actions to take to manage the regulatory onslaught in the aftermath of a breach. Sotto notes that “these investigations are challenging because the threat actors are enormously sophisticated, and in some circumstances we can never figure out what happened.”

On September 23, 2016, the French Data Protection Authority ("CNIL") published the results of the Internet sweep on connected devices. The sweep was conducted in May 2016 to assess the quality of the information provided to users of connected devices, the level of security of the data flows and the degree of user empowerment (e.g., user’s consent and ability to exercise data protection rights).

On September 22, 2016, Korean law firm Bae, Kim & Lee LLC released a Legal Update outlining amendments to Korea’s Personal Information Protection Act (“PIPA”) and the Act on the Promotion of IT Network Use and Information Protection (“IT Network Act”).

On September 20, 2016, the Department of Transportation, through the National Highway Traffic Safety Administration (“NHTSA”), released federal cyber guidance for autonomous cars entitled Federal Automated Vehicles Policy (“guidance”).

On September 16, 2016, the Belgian Data Protection Authority (the “Privacy Commission”) published a 13-step guidance document (in French and Dutch) to help organizations prepare for the EU General Data Protection Regulation (“GDPR”).

The 13 steps recommended by the Privacy Commission are summarized below.

Episode 1: Identify & Mobilize

In the first segment of our 3-part series with Lawline, Lisa J. Sotto, head of our Global Privacy and Cybersecurity practice at Hunton & Williams LLP, explains how to identify a cyber incident, mobilize your incident response team, coordinate with law enforcement and conduct an investigation.

On September 15, 2016, the New Jersey Senate unanimously approved a bill that seeks to limit retailers’ ability to collect and use personal data contained on consumers’ driver and non-driver identification cards. The bill, known as the Personal Information and Privacy Protection Act, must now be approved by the New Jersey Assembly.

On September 13, 2016, New York Governor Andrew Cuomo announced a proposed regulation that would require banks, insurance companies and other financial services institutions to establish and maintain a cybersecurity program designed to ensure the safety of New York’s financial services industry and to protect New York State from the threat of cyber attacks. 

Recently, the National Privacy Commission (the “Commission”) of the Philippines published the final text of its Implementing Rules and Regulations of Republic Act No. 10173, known as the Data Privacy Act of 2012 (the “IRR”). The IRR has a promulgation date of August 24, 2016, and went into effect 15 days after the publication in the official Gazette.

On August 30, 2016, the First-tier Tribunal (Information Rights) (the “Tribunal”) dismissed an appeal from UK telecoms company TalkTalk Telecom Group PLC (“TalkTalk”) regarding a monetary penalty notice issued to it on February 17, 2016, by the UK Information Commissioner’s Office (“ICO”). The ICO had issued the monetary penalty notice to TalkTalk, for the amount of £1,000, for an alleged failure to report an October 2015 data breach to the ICO within the legally required time period.